Access management

Last updated: Nov 16, 2023

We've said it a time or two, and we'll say it again: we take security seriously. Access management is part of that. Find out below how we manage authentication and access to systems for both Redoxers and customers using the Redox dashboard.

Redoxers

By default, we deny access to Redoxers to internal systems, applications, and customer data. We only allow access on a minimum necessary basis, which is based on the principle of least privilege.

Complexity requirements

Each Redoxer has a unique username and complex password that they use to access our internal systems. We align our password policy with the National Institute of Standards and Technology (NIST) password guidelines and best practices. NIST emphasizes length over complexity and multi-factor authentication (MFA) over shorter rotation periods.

As such, we have high length requirements (16 characters) and require MFA whenever possible. We have single sign-on (SSO) in place for access to all internal systems.

Provisioning

Access provisioning is based on an assigned role in our human resources information system (HRIS). If the role has certain access rights assigned, the user is granted that access when they're granted the indicated role. When the user is no longer a member of that role, their access is removed. We provision access to contractors similar to employees, but they're placed into their own roles. We continuously update access within roles based on business needs.

Review

We review critical system accounts and privileged access rights every 60 days. We review standard user accounts upon hire, termination, and role change.

Your organization users

This group applies to any customers that are part of your Redox organization. Learn about managing your access control.

Complexity requirements

We require the following password parameters for the Redox dashboard:

  • Password must not contain common or repeated words and characters.
  • Password must be longer than 8 characters and shorter than 72 characters. Characters can be anything, including unicode and whitespace. Maximum password length is technically UTF-8 code units.
  • Password must not contain your name, email, or organization name.
  • Password must include two of the four categories: A-Z, a-z, 0-9, and special characters (~!@#$%^&*/?).
  • Maximum password age is 12 months.
  • Lockout occurs after 3 bad attempts.

Multi-factor authentication

MFA is available to any user via SMS text message. Organization owners can view which users have enabled MFA within the dashboard.

If you don't want to input the MFA tokens every time you log in, you can check the box for the option: "Remember this device for 30 days." You'll still have to enter the MFA tokens, though, if you explicitly log out, use a new device or incognito browser, or delete browser cookies.

SSO

We support SSO via Security Association Markup Language (SAML). SSO allows you to enforce your own password complexity requirements and more stringent MFA rules via your own identify provider.